Activities Processed in Real Time
The Threat Protection pipeline processes events in two separate streams: the real-time stream and the batch stream. User activities relevant to data exfiltration are processed in the real-time stream, and everything else is processed in the batch stream.
The following activities are processed in the real-time stream, provided by service.
Amazon Web Services
| Activity Name | Activity Category | Source |
|---|---|---|
| AttachInternetGateway | Administration | API |
| AttachLoadBalancerToSubnets | Administration | API |
| AttachNetworkInterface | Administration | API |
| AttachRolePolicy | Administration | API |
| AttachUserPolicy | Administration | API |
| AttachVolume | Administration | API |
| AttachVpnGateway | Administration | API |
| AuthorizeSecurityGroupEgress | Administration | API |
| CheckMfa | Administration | API |
| CreateAccessKey | Administration | API |
| CreateVpcEndpoint | Administration | API |
| CreateVpcPeeringConnection | Administration | API |
| CreateVpnConnection | Administration | API |
| CreateVpnConnectionRoute | Administration | API |
| CreateVpnGateway | Administration | API |
| DeactivateMFADevice | Administration | API |
| DeactivatePipeline | Administration | API |
| Decrypt | Administration | API |
| DeleteNetworkAcl | Administration | API |
| DeleteNetworkAclEntry | Administration | API |
| Encrypt | Administration | API |
| GenerateCredentialReport | Administration | API |
| GetAccountAuthorizationDetails | Administration | API |
| GetAccountSettings20160819 | Administration | API |
| GetAuthorizationToken | Administration | API |
| GetAuthorizers | Administration | API |
| ListRoots | Administration | API |
| ListSecurityConfigurations | Administration | API |
| ListServerCertificates | Administration | API |
| ListSSHPublicKeys | Administration | API |
| ListWebACLs | Administration | API |
| StopLogging | Administration | API |
| UpdateServiceSpecificCredential | Administration | API |
| UpdateSSHPublicKey | Administration | API |
| UploadServerCertificate | Administration | API |
| UploadSSHPublicKey | Administration | API |
| CopyDBSnapshot | Data Download | API |
| CopyImage | Data Download | API |
| CopySnapshot | Data Download | API |
| DownloadDBLogFilePortion | Data Download | API |
| GenerateClientCertificate | Data Download | API |
| GenerateDataKey | Data Download | API |
| GenerateDataKeyWithoutPlaintext | Data Download | API |
| GetApiKey | Data Download | API |
| GetApiKeys | Data Download | API |
| GetBucketAcl | Data Download | API |
| GetClientCertificates | Data Download | API |
| GetClusterCredentials | Data Download | API |
| GetIdentityMailFromDomainAttributes | Data Download | API |
| GetKeyPairs | Data Download | API |
| GetSSHPublicKey | Data Download | API |
| GitPull | Data Download | API |
| ImportImage | Data Download | API |
| DOWNLOAD | Data Download | Proxy/SSL Logs, API |
Azure AD
| Activity Name | Activity Category | Source |
|---|---|---|
| Reset user password | Administration | API |
| Set domain authentication | Administration | API |
| Verify email verified domain | Administration | API |
| Viral tenant creation | Administration | API |
| Update external secrets | Data Updates | API |
| Password logon initial auth using password | Login Success | API |
| DOWNLOAD | Data Download | Proxy/SSL Logs |
Box
| Activity Name | Activity Category | Source |
|---|---|---|
| Folder Copy | Data Access | API |
| Download File | Data Download | Proxy/SSL Logs, API |
| Download Folder | Data Download | API |
| Admin Login | Login Success | API |
| DOWNLOAD | Service Usage | Proxy/SSL Logs |
Dropbox
| Activity Name | Activity Category | Source |
|---|---|---|
| File/Folder Copy | Data Access | Proxy/SSL Logs |
| DOWNLOAD | Data Download | Proxy/SSL Logs |
| Download File | Data Download | Proxy/SSL Logs |
| Download Folder/Files as ZIP | Data Download | Proxy/SSL Logs |
| Restored Versioned File | Data Download | Proxy/SSL Logs |
Dropbox for Business
| Activity Name | Activity Category | Source |
|---|---|---|
| Changed single sign-on identity mode | Administration | API |
| Changed single sign-on url | Administration | API |
| Disabled single sign-on | Administration | API |
| Disabled two-step verification | Administration | API |
| Removed single sign-on url | Administration | API |
| Removed two-step verification backup phone | Administration | API |
| Transferred account contents | Administration | API |
| Updated single sign-on certificate | Administration | API |
| File Copied | Data Access | API |
| Allowed non collaborators to view links to files in a shared folder | External Data Sharing | API |
| Copied the contents of a link to their Dropbox (non-team member) | External Data Sharing | API |
| Downloaded the contents of a link (non-team member) | External Data Sharing | API |
| Invited non-team member(s) to a shared folder | External Data Sharing | API |
| Made the contents of a link visible to anyone with the link | External Data Sharing | API |
| Failed to sign in via SSO | Login Failure | API |
| download_files | Service Usage | API |
Exchange Online
| Activity Name | Activity Category | Source |
|---|---|---|
| Disable-MalwareFilterRule | Administration | API |
| Remove-DlpPolicy | Administration | API |
| Remove-MalwareFilterPolicy | Administration | API |
| Remove-MalwareFilterRule | Administration | API |
| Set-MalwareFilterPolicy | Administration | API |
| Set-MalwareFilterRule | Administration | API |
| Set-RoleGroup | Administration | API |
| Set-SharingPolicy | Administration | API |
| Copy item to folder | Data Access | API |
| Mailbox is accessed by an admin or delegate | Data Access | API |
| Mailbox login | Login Success | API |
Google Drive
| Activity Name | Activity Category | Source |
|---|---|---|
| DOWNLOAD | Service Usage | API |
| Download File | Service Usage | API |
Office 365
| Activity Name | Activity Category | Source |
|---|---|---|
| Yammer-Download File | Data Download | Proxy/SSL Logs |
| FileDownloaded | Service Usage | API |
| FileSyncDownloadedFull | Service Usage | API |
| FileSyncDownloadedPartial | Service Usage | API |
| DOWNLOAD | Data Download | Proxy/SSL Logs |
OneDrive
| Activity Name | Activity Category | Source |
|---|---|---|
| Update User Permissions | Administration | Proxy/SSL Logs |
| Copy File | Data Access | Proxy/SSL Logs |
| Copy Folder | Data Access | Proxy/SSL Logs |
| Download Word Document as PDF/PPT/ODT | Data Download | Proxy/SSL Logs |
| Download Workbook | Data Download | Proxy/SSL Logs |
| Download File | Data Download | Proxy/SSL Logs |
| Site collection admin added | Administration | API |
| WAC token shared | Administration | API |
| File copied | Data Access | API |
| File changes downloaded to computer | Data Download | API |
| File downloaded | Data Download | API |
| Files downloaded to computer | Data Download | API |
SharePoint
| Activity Name | Activity Category | Source |
|---|---|---|
| DOWNLOAD | Service Usage | Proxy/SSL Logs |
| Site collection admin added | Administration | API |
| WAC token shared | Administration | API |
| File copied | Data Access | API |
| File changes downloaded to computer | Data Download | API |
| File downloaded | Data Download | API |
| Files downloaded to computer | Data Download | API |
Salesforce
| Activity Name | Activity Category | Source |
|---|---|---|
| Create Delegated Administrators | Administration | Proxy/SSL Logs, API |
| Create Login IP Range of Profile | Administration | Proxy/SSL Logs, API |
| Create NetworkAccess Entry | Administration | Proxy/SSL Logs, API |
| Create Permission Sets | Administration | Proxy/SSL Logs, API |
| Create PermissionSet | Administration | Proxy/SSL Logs, API |
| Deactivate User | Administration | Proxy/SSL Logs, API |
| Delete Group | Administration | Proxy/SSL Logs, API |
| Delete Login IP Range of Profile | Administration | Proxy/SSL Logs, API |
| Delete NetworkAccess Entry | Administration | Proxy/SSL Logs, API |
| Delete PermissionSet | Administration | Proxy/SSL Logs, API |
| Delete Role/Sub Role | Administration | Proxy/SSL Logs, API |
| Download Setup Audit Trail | Administration | Proxy/SSL Logs, API |
| Edit NetworkAccess Entry | Administration | Proxy/SSL Logs, API |
| Inline Delete Permission Sets | Administration | Proxy/SSL Logs, API |
| Manage Delegated Groups | Administration | Proxy/SSL Logs, API |
| Mass Delete | Administration | Proxy/SSL Logs, API |
| Remove Delegated Group | Administration | Proxy/SSL Logs, API |
| Create Attachment | Data Access | Proxy/SSL Logs, API |
| List Account | Data Access | Proxy/SSL Logs, API |
| List Contact | Data Access | Proxy/SSL Logs, API |
| List Contract | Data Access | Proxy/SSL Logs, API |
| List Opportunity | Data Access | Proxy/SSL Logs, API |
| View Account | Data Access | Proxy/SSL Logs, API |
| View Accounts | Data Access | Proxy/SSL Logs, API |
| View Attached File | Data Access | Proxy/SSL Logs, API |
| View Attachment | Data Access | Proxy/SSL Logs, API |
| View Contact | Data Access | Proxy/SSL Logs, API |
| View Contacts | Data Access | Proxy/SSL Logs, API |
| View Contract | Data Access | Proxy/SSL Logs, API |
| View Contracts | Data Access | Proxy/SSL Logs, API |
| View Leads | Data Access | Proxy/SSL Logs, API |
| View Opportunities | Data Access | Proxy/SSL Logs, API |
| Chatter File Download | Data Download | Proxy/SSL Logs, API |
| Data Exported | Data Download | Proxy/SSL Logs, API |
| Download Doc | Data Download | Proxy/SSL Logs, API |
| Download Preview | Data Download | Proxy/SSL Logs, API |
| Download Saved Report | Data Download | Proxy/SSL Logs, API |
| Login | Login Success | Proxy/SSL Logs, API |
| Download Ad-hoc Report | Report Execution | Proxy/SSL Logs, API |
| Document Attachment Downloads | Service Usage | API |
| DOWNLOAD | Service Usage | Proxy/SSL Logs, API |
Slack
| Activity Name | Activity Category | Source |
|---|---|---|
| Channel Created | Administration | API |
| Download File | Data Download | Proxy/SSL Logs |
| File Downloaded | Data Download | Proxy/SSL Logs |